R- 40.4 R44/ Rac 


| REA 
Nuclear Safety Oversight Committee EEN AY 


COMPLETE 
REPORT OF os q 


THE REACTOR SAFETY RESEARCH REVIEW GROUP 


Norman C. Rasmussen, Chairman 
Herbert J. C. Kouts, Vice Chairman 


Spencer H. Bush David Okrent 
Thomas J. Connolly Lombard Squires 
Herbert G. MacPherson Edwin L. Zebroski 


SUBMITTED TO 


ACLE Ty 
i | 


September 1981 


The Honorable Bruce Babbitt 
Chairman 

Nuclear Safety Oversight Committee 
Washinaton, D.C. 20545 


Dear Gov. Babbitt: 


I am pleased to transmit herewith the report of the Reactor 
Safety Research Review Group. You will note that it contains a 
number of recommendations directed toward improving the nationai 
reactor Safety research program, with particular attention to the 
Nuclear Regulatory Commission research program. 


The text contains a number of recommendations considered 
important enough to be singled out. Of these, 26 were considered 
to be of a higher level of urgency and these have been listed at 
the front of the report for emphasis. 


We hope these recommendations will ve of use to your committee 
in carrying out its responsibilities. I would like to take this 
opportunity to thank you for your support and that of your staff, 
especially Mr. Steven Ebbin, in helping us carry out this review. 


I look forward to appearing before your committee on September 
23, 1981 to discuss this report in person. 


Very truly yours, 


AN bruce Uharneeee—_ 


Norman C. Rasmussen 


BEST DOCUMENT AVAILABLE 


Table of Contents 
Page 


INtroductiOn. ccccccccccccccccccccvvcvcvccccccsvcsccscsesecccccccceseesececceel 


Scope of the ROVIOW. ccccccccccccccccccccccccccecescceesescecsscoeccenceel 
The Review Group. .ccccccccccccccccccccccccccccccccsccecccecrccecocccceeel 
Performance of the REVieW..cccccccccccccccccccscscssecsccccccceccceseeeel 
Research Considered in the REView..ccccecccccccccccccccccccccescccccccsell 
Structure Of the Report..ccccccccccccccvcccccccsccccssccccccccccccccvccelii 
Conclusions and Principal Recommendations...ccccseccccccccccescesccscvesiIV 


Genera] CONC TUSIORs ccccceccccccccccccccccccccccccecccccccecccecceeeel¥ 


Mew ROSEAPCH. cccccccccccccccccccccccccccccccecceccccccccceccececceee lt 
EXiSting RESCArch. .cccccccccccccccccccccccccccseeeesecsssssscscesseel 
General Comments on NRC Research ProgramsS...ccccccccccccccccccesceseVil 
RESOOCH by BOE. cc cccccccccccrcccccccccccccccvsccccccccccscossececeeVEll 


i 


I. Potential Accident Initiators and Their Prevention... cceccccccsccccvessel=l 


A. Internal COCal 4g rrr s co 
1. The Primary Pressure Boundary....... TTTTT TT TT TTT TTT TT Te TT 


a General Considerations eeece eeeser eeeeeveee OTe rererr err rirrey co | 
b. Pressure Vessel Rupture...ee. eeeeeveee 54h bh osenuenes 4559000405"9 


Effects of Water MOGINEE . 00h 6006065606606600000060066680000064°8 


oO 
° 


G. Valv@S.ccccccccccccccscscccccces TTTTTUTTTETTTE TITTLE TT TT Ge 
e. Pipe Design for Seismic LoadS...ccccecceccccccccccsccvcesceeel=4 
f. Decontamination of the Primary System....cccccccccccscesesesl=9 
2. Operating Transients. .ccccccccccccccssssssscccccccccccccccssese =O 
a. Loss of Electric Power. .cccccsccecseccees seecccccccccccesse l= 
b. Plant Control System InteractionS....csccccccccccccccccecevel=/ 
3. Other Internal Initiators..ccccccccccccescvecces coccccee socccceckel 
Ae FireScccccccccccccccccccvccccccccsncscccccessscscscssseseees l-/ 
b. Sabotage by an INSider..ceccccccccccsvesvcscccccccsccsvvsees [-/ 


I. 


Il. 


IT. 


Table of Contents (Cont'd) 


Potential Accident Initiators and Their Prevention (Cont'd) 


B. 


External TRIS LAC OPE co o0 66066666 60400666 00466666 54040605000000 000866068 I-8 
l. Earthquakes. ccccccccccccccccccccccccsccccccccccccccccccseccccecsle® 
QO TTT Te TT Te Tee Te eee TTT eee eT TT TT Tre TTT | 


2 
3. ere 
4 


. External Fires and Explosions. .cccccccccccccccccvccccccceseseese lS 


Response to Accident Initiators.ccccccccccccccccccccccccccccccccccssesseli=l 


The Reactor Shutdown System. ..ccccccccccccccccsccccccssccsccscsesesel lal 
The Emergency Core Cooling System... ..ccccrccccccvccccccscccscsessessl i=l 
1. Large Loss-of-Coolant ACCidentsS..cccccccccccccccccccccccessessesll=l 
2. Small Loss-of-Coolant ACCIdENtS...crccccccccccccccccccsccveesesell=2 
Decay Heat Removal SystemS..cccccccccccceccvccccccccccscsesssesseseell=3 
GPACOE TOGDUNON Ss 6. x06664.6.0 6546 606050 4464605 00500055554 000804650000081"8 
1. Engineering Simulation. .cccccccccccsccccccccccccscccccccccsscsccs liad 
2. Validated Data. .ccccccccccccccccccccccccccccccccccccccccccccccce ll a4 
Rulemaking on Minimum Engineered Safety Features....cscecseececeeeeell=9 


Fuel Damage and Mitigation of Its Effects...ccccccccccccccesccccceeveeee ll i=] 


A, 


The Fuel Damage Process...... PP TUTCUTTTETTTTTETT TOTTI TT TTT ee. 
Normal Operation and Anticipated Transients..ccccccccccccveeseestlI-l 
. Super-Prompt-Critical Bursts in Power........ PUTTS TTT TT Tre ee | 
Local Melting of Fuel Pins at Power....cccccccccccccececsesessselll=2 
Degraded and Molten Cores..cccccccssccccccccccvccccccsccccsvsseel lin? 
Three Mile Island Recovery....eeees ecccccccce occcece oeeeouce eee LITI-4 
Power Burst Facility (PBF)......06. errr UTTTRTTTT TTT TTT Te ~IT1-4 
Release and Transport of Radioactive Material. ..cccccccceccccvseves ~III-5 


SHS wo Se W PO 
- ee  @  « ° 


Le Fue] REL@RSE PFOCESSccccccccvesccsscccccccccecesses TTT TTT TT TT ~IITI-5 


2. Radioactive Material Transport Process. ..ccccccccccccsccscccceees [11-6 


Table of Contents (Cont'd) 


III. Fue? Damage and Mitigation of Its Effects (Cont'd) 


IV. 


VI. 


C. 


Containment Effectiveness. .ccccccccccccccccccccccccccccccccccccccccel ies 
1. Containment Isolation. .ccccccccccccccccccccscccccscccccccccccccol iol 
2. Overpressure Failure. cccccccccccccccccccccccccccccccccccccccccce lL Ie§ 
3. Effects of Hydrogen. .cccccccccscccccccccccccsccccccccscccscscessllLI“9 
4. Alternative Containment Designs... ..cccccccccccccccccsccccsecsses I-10 


Effects of Potential Accident Releases to the Environment and 


Their MIC TMBCTOR. ccccccccccccccccccsecccc cece cece cennceccecceeccccoccee len 


A, 


Distribution of Radioactive Material... cwcccccccccccccenccssevessee Val 
1. Meteorological Modeling. ..cccccccccccccccccccccccccssccccccscseelV=l 
Ze Hydrological Modeling. cccccccccccccccccccccccccccccccccccccccceltee 
Civil Protection Strategy. .ccccccccccccccccccccsccccccccsscccccccceelVae 
Biological Effects Of Radiation. ..ccccccccccccccccsecsesescessveseselVa3 
Economic Impacts of Large Releases...ccccccccccccccccccscssecsvesees V3 


Important General Issues..ccecccccccccccccccccccccccccccccccccccccsccsceVal 


A. 


B. 


Human Error. eeeeee eeevese eeeseeeeee eeeeeeoeea eee eevee eeeeeeeeeeeeeee ee V-1 
Probabilistic Risk Analysis (PRA) cccccccsccccccccscccsccceccosccsscetek 


Organizational and Institutional Comments... ..ceccceccccvees ccccccccccce¥la=l 


moO wo YS 
. ° . ° ° 


NRC Safety Research eeeeee0e eeenevee eeveeveeeveveene ee ee eee eeeeeeee eeeeeeeaee VI-1 
The Role of DOE in Light Water Reactor Safety Research......eeeeeeeeVI-4 
Research in Other Countries. ..cccccccccccccccccceveces 944608804050488 VI-5 


FFEOGOM OF PUBlICatTOM. cccccccccccccccccccccccecccccccccececcccccece VI-5 
TRO ROTE OF RISK ASSOSSMONE « oo o0 0.06 60.6.6 00006066060 6060600 06606000006 VI-6 


Introduction 


Scope of Review 


This review of the national program of reactor safety research was performed 
at the request of the Nuclear Safety Oversight Committee. It has been limited to 
research related to safety of nuclear power plants, and specifically does not in- 
clude other aspects of the nuclear fuel cycle. It has been further restricted to 
safety of light water moderated and cooled nuclear power plants of the types used 
in the United States. 


The Review Group 


To conduct the review, NSOC selected a group of individuals with extensive ex- 
perience in reactor safety issues. Professor Norman C. Rasmussen of the Department 
of Nuclear Engineering at the Massachusetts Institute of Technology was asked to 
chair this Review Group. The other members were: 


Dr. Spencer Bush Battelle Pacific Northwest Laboratories 
Dr. Thomas Connolly Stanford University 

Dr. Herbert J.C. Kouts Brookhaven National Laboratory 

Dr. Herbert G. MacPherson Institute for Energy Analysis 

Dr. David Okrent University of California at Los Angeles 


Mr. Lombard Squires (retired) E.I. du Pont de Nemours Company 
Dr. Edwin Zebroski Nuclear Safety Analysis Center 


Performance of the Review 


In performing its review, the Group had the benefit of meetings with a number 
of members of the U.S. water reactor safety research community. An organizational 
meeting was held on April 24, 1981, in Chicago. A second meeting was held on June 
4-5 in Washington,D.C., with representatives of NRC's Office of Nuclear Regulatory 
Research and representatives of DOE. On June 25-26, a meeting was held in Denver 
with representatives of the four LWR vendors (Westinghouse, Combustion Engineering, 
Babcock and Wilcox, and General Electric), selected utilities (Commonwealth Edison, 
Tennessee Valley Authority, Duke Power, and Pacific Gas and Electric), and individ- 
uals representing consulting companies (Saul Levine of NUS, Robert Budnitz of 
Teknekron, and Mario Fontana representing IDCOR*). In addition, individual members 


* Industry Degraded Core Rulemaking Program 


of the Review Group visited all of the National Laboratories where the bulk of the 
nation's safety research is done. Discussions were held there with staff members 
at both the managerial and working level. Comments and views expressed to the Re- 
view Group at both individual and group meetings have been factored into this re- 
port, but without attribution. 

An extended meeting of the Review Group was held in Seattle from August 10-14, 
1981. A final meeting was held in Washington on September 2, 1981. 


Research Considered in the Review 


Research on light water reactor safety is sponsored by many organizations. 
These include the Nuclear Regulatory Commission (NRC) and the Department of Energy 
(DOE) in the public sectur, and reactor vendors and the utilities through owners' 
groups and the Electric Power Research Institute (EPRI) in the private sector. 
There is also a substantial and growing amount of water reactor safety research 
abroad, principally in the Federal Republic of Germany, France, Japan, and Sweden. 
Because many projects abroad are sponsored jointly with organizations in the U.S., 
and because the information developed in most national programs is fully exchanged, 


water reactor safety research should be viewed as an international effort. Some 
attention is therefore given here to contributions by other countries. 

At the present time, more than half of the research on water reactor safety 
in the United States is sponsored by the NRC. In FY-82, for example, the budget of 
the Office of Nuclear Regulatory Research of NRC is $230 million, of which approxi- 
mately $200 million is destined for light water reactor safety research. The re- 
search by DOE on this subject is very limited. Public Law 96-567 now calls for a 
Substantial DOE role in this area. Implementation of this law is still under re- 
view, and budgetary allocations for it have yet to be made. 

In the private sector, water reactor safety research is frequently sponsored 
by groups of utilities and/or nuclear steam supply vendors with specific common 
problems. Tne Electric Power Research Institute (EPRI), the research arm of the 
electric utilities, is also a sponsor of substantial research on light water reac- 
tor safety and reliability. In FY-82, EPRI's expenditures in this area are ex- 
pected to amount to about $65 million. Since the accident at Three Mile Island, 
the industry has also formed the Nuclear Safety Analysis Center (NSAC) and the 
Institute for Nuclear Power Operations (INPO). These organizations sponsor addi- 


tional activities to improve safety of light water reactors. 


= 


These estimates of $200 million expended annually in the public sector on 
light water reactor safety research, and perhaps half that value sponsored by the 
private sector, are necessarily arbitrary. Typical questions that arise in consid- 
ering whether a given project by industry should be included are: is it research 
or is it simply engineering analysis, and is it research to improve reactor safety 
or to improve a vendor's product? For example, the question of whether a given 
research project is or is not safety research arises in connection with certain 
programs sponsored by owners' groups, which deal with product reliability (e.g., 
improvement of design of steam generators for PWRs). It is acceptable to argue 
that increased reliability leads to increased safety, but these programs are driven 
more by economic considerations than by safety considerations. 

The NRC, on the other hand, also conducts many activities resembling research 
in its Technical Assistance Programs. These are not usually defined as research, 
even though some programs under the rubric of technical assistance have been long- 
term and have been exploratory in nature. These technical assistance programs have 
not been reviewed here. 


Structure of the Report 


The review that follows has been structured along the lines of accident analy- 
Sis, because this brings up the safety issues in a natural way. The first section 
discusses research that helps to avoid accidents and research on the modes of acci- 
dent initiation. This is followed by a section on research pertinent to the re- 
sponse of the plant to initiating events, including functioning of safety systems. 
The third includes research on the consequences within the plant if the protective 
systems were to fail; this includes fuel failure and liberation of fission products 
from fuel, transport of the fission products, and their release from the contain- 
ment. The fourth section includes research on consequences of fission product 
release. The fifth includes questions which pervade the entire accident analysis. 
The sixth contains observations on organizational and institutional subjects. 

Interspersed in the text of the report are a number of recommendations that 
the Review Group feels would improve the overall effectiveness of the national pro- 
gram. The most important of these are singled out in the text. Forty-two recom- 


mendations are emphasized in this way. 


Conclusions and Recommendations 
General Conclusion 


The national research program on safety of light water reactors began to as- 
sume its present form and objectives only about eight years ago. The structure it 
assumed then was a reaction to questions raised during the long hearing of 1972-73 
on criteria for effectiveness of emergency core cooling systems. The program has 
kept this initial orientation ever since, with little redirection to topics not 
originally included. This is understandable in the context of the length of time 
that has been found necessary to mount such a compiex research program and to carry 
it to useful conclusions. In the intervening period, the program has made signifi- 
cant progress in answering questions on reactor safety. The NRC, its contractors, 
and those in industry who have joined in this program have earned and well deserve 
a substantial measure of credit for important contributions to the safety of the 
public. 


The Large LOCA Program 


In particular, the research to improve understanding of the large loss-of- 
coolant accident has been an unquestioned success. It has progressed to the point 
where the strong emphasis on this research objective can now be wound down. The 
LOFT program, which is the centerpiece of large LOCA research, has succeeded in its 
original objectives, and the Review Group agrees with views expressed elsewhere 
that moves to decommission LOFT can now be taken. In subsequent sections of this 
report, we identify high priority areas in which research results are urgently 
needed, and to which the resources saved through the phasing out of LOFT should be 


applied. Our recommendation is: 


The LOFT program should be phased out in an orderly manner. This Review 
Group is divided on whether the experimental program for LOFT should be 
completed in FY-82 or FY-83. (P.II-2)* 


New Research 


Very important issues have arisen in other areas in the past few years, and a 
number of these now compete for attention. Research programs have been started on 
some of these issues. In some other instances, though, research programs are re- 


quired but do not exist. We have singled out a number of issues that urgently need 


* Each recommendation repeated in this section is accompanied by the page usoer of 


yf 


the main report where it may be found. 


research but on which no significant research is being done. Recommendations on 
these are given in the text of our report. lhe most important are listed below, in 
order of urgency and importance. 


A major effort should be undertaken to develop and evaluate improved or alter- 
nate approaches to more reliable shutdown heat removal systems, for both the 
reactor vessel and the containment. (p. II-3) 


A program should be initiated to develop and evaluate methods of providing 
more reliable electric station power, both AC and DC. Such a program would 
have significant value and an excellent cost-benefit ratio. (p. I-7) 


A program should be undertaken to examine the relative safety merits of rigid 
versus flexible seismic design of piping. The program should consider al low- 
ance for inelastic behavior of piping and evaluate the potentially adverse im- 
pact of an excessive number of hangers and snubbers on in-service inspection 
and the possibility of crack initiation during normal operation due to snubber 
malfunction. (p. I-5) 


Industry or DOE programs should be established to develop valves with more re- 
liability of function under normal and abnormal operating conditions. (p. I-4) 


DOE and industry should now proceed with the long-planned, comprehensive pro- 
gram to develop and demonstrate primary system decontamination techniques ap- 
plicable to LWRs. Jthis program should include techniques which reduce the 
initial deposition of radioactive materials. (p. I-5) 


A national LWR system simulation program should be undertaken cooperatively by 
DOE and NRC. This program should treat both PWRs and BWRs generically. The 
principal goal should be the development of computational capability to study 
LWR behavior in real time or faster through a wide range of severe transients 
including accidents involving extensive core damage. (p. II-4) 


NRC programs should be established to determine the mode and likelihood of 
severe damage by water hammer, to permit engineering solution to prevention of 
damage to the plant and especially to safety-related systems. (p. I-4) 


The NRC should undertake the studies needed to develop design measures and/or 


other measures which protect against sabotage by an insider while not compro- 
mising safety in other respects. (p. I-7) 


Existing Research 


Among the research prcgrams now being supported, several have received speci f- 


ic attention in our report. In most cases, this is because either increases or de- 


creases in emphasis are appropriate. In a few cases we have said that current lev- 


els of support are reasonable. Among our recommendations on existing research pro- 
grams, the following are especially important. They are given in order of urgency 
and importance:* 


Probabilistic risk analysis indicates that about half the risk from reactor 
accidents is attributable to human error. The body of knowledge concerning 
pertinent human factors is inadequate, and it is important that further re- 
search be done in this area to provide an adequate technical basis for regula- 
tory activities. The NRC should establish relative priorities, so that its 
research program will be structured to obtain the most important information 
first. The important information is that which can be used to improve contro] 
room design, operator aids, and selection and training of operators, which 
should lead to reduction of rates of human error. Further, the NRC program 
should be coordinated with industry efforts. (p. V-2) 


The NRC, DOE, and industry have ongoing programs to provide improved under- 
Standing of radioactive releases possible after severe reactor accidents. 
These should encompass a range of conditions and accident scenarios sufficient 
for broad understanding of the processes of transport and release of the im- 
portant radioactive isotopes. The NRC program should provide as much informa- 
tion as possible for the degraded core ccoling hearings. There is also a need 
for a long-range program in this area. (p. III-7) 


The NRC program on the small loss-of-coolant accident should be continued, to 
the point where capability to answer important questions of thermal-hydraulics 
and fuel performance is assured. (p. II-3) 


The possibility of cold repressurization of reactor pressure vessels that have 
undergone large shifts in nil ductility transition temperature provides a po- 
tential mechanism for a major failure of the pressure boundary. The substan- 
tial programs underway or in the advanced planning stage should be funded and 
coordinated to assure that the issue is resolved in a 1-3 year time frame. 


(p. I-3) 


Ample federal funds should be made available for developing timely information 
through examining the degraded core in TMI-2. The current program of DOE to 
carry out such investigations should be supported. (p. Iii-4) 


* Dr. Okrent has the following additional comment: 
All of the above recommendations are important. If required to assign priori- 
ties, I would arrive at a somewhat different order. I would place the 4th, 
9th, and 10th recommendations on cold repressurization, minimum engineered 
safety features, and the degraded core cooling rulemaking, respectively, in a 
group at the top of the list. I would place the lst, 2nd, and llth on human 
factors, the radioactive source term, and mitigation features, respectively, 
in the next highest group. I would place the 3rd, 7th, and 8th on the smal] 
LOCA, probabilistic analysis, and control systems, respectively, in a third 
group, while the 5th and 6th on the TMI-2 core and hydrogen, though still im- 
portant, would be in a last group. 


S 


The NRC is initiating a research program on the issue of evolution and burning 
of hydrogen in accidents. This program is important and should be pursued ex- 
peditiously. Complementary programs by industry should be taken into account 
in structuring the NRC's research program. The significance of containment de- 
sign and volume should also be taken into account. (p. III-9) 


The use 9f probabilistic analysis is rapidly expanding. A significantly larger 
research program is needed to improve and standardize the methodology as much 
as possible. Particular areas that need improvement are: methods of handling 
common cause failures, data collection and analysis, accuracy of the estimated 
frequency of very low probability events, and assurance of the quality of anal- 
yses. (p. V-4) 


Research on the role and importance of plant control systems in LWR safety 
should be greatly augmented. (p. I-7) 


The NRC should promptly ideritify the information needs of the rulemaking on 
minimum engineered safety features of future LWRs that can be supplied in time 
by pareey research, and assign the necessary priority and resources to this 
task. (p. II-5) 


The NRC should promptly identify that information which it needs for the de- 
graded core cooling rulemaking and which safety research can supply in time for 
the hearing. It should assign the priority and resources to get the job done, 
mea) if necessary, other less urgent degraded core safety research. (p. 
II]-4 


The NRC safety research program on mitigation of degraded core and core melt 
accidents should be modified as necessary to provide the information needed on 
alternative containment design concepts under consideration, including improved 
containment cooling, containment venting, venting and filtering, core debris 
retention, and hydrogen control. (p. III-10) 


General Comments on NRC Research Programs 


We also reviewed such pervasive matters as the lIcgic and structure of NRC's 
Safety research program, the way the benefits of research are incorporated (or not 
incorporated) into regulations, and the general relationship between the Office of 
Nuclear Regulatory Research and the other components of NRC. Among the observations 
we transmit are several recommendations on improvements to the way NRC plans, man- 
ages, and uses its research programs. The most important are: 


The Commission should encourage and promote the visible integration of the re- 
sults of safety research into the regulatory process. Regulatory requirements 
should not rest on bad science when good science has become available. If re- 
tention of conservatism is desired because of uncertainties or for other rea- 
sons, this should be done through the application of explicit safety factors to 
a calculation based on best available methods, in accordance with good engi- 
neering practice. (p. VI-3) 


5 


The limitation of NRC's programs to “confirmatory research" should be removed, 
so that exploratory research and research to improve safety can be undertaken 
when this looks like the better course to follow. (p. VI-3) 


NRC's Long Range Research Plan (NUREG-0740) should be restructured to follow 
lines of Agency objectives. This should infuse it with a more up-to-date logi- 
cal structure and discourage the tendency to support more of what has already 
teen done. Introduction and continuation of guidance at the Commission level 
will be of fundamental importance in confirming the objectives and restructur- 
ing the plan. The restructured long-range plan should be more specific in de- 
fining the deliverables in each program. (p. VI-3) 


A policy should be instituted whereby probabilistic risk assessment is used as 
one tool in establishing priorities of research programs. (p. VI-6) 


The last of the above recommendations should be read in a context broader than 
NRC programs on safety research. It is good advice for all applied research. 
Research by DOE 


In Public Law 96-567, Congress directed the Department of Energy to undertake 
studies leading to a program to contribute to sound design and safety of nuclear 


power plants. We have reviewed the DOE's reactions to these instructions and find 
them to be weak and generally unresponsive. We have two important recommendations 
on this subject, listed below: 


DOE should form a strong staff of technical and managerial personnel knowledge- 
able and experienced in the subject of water reactor safety, to develop and im- 
plement programs of safety research in this field. (p. VI-5) 


DOE should develop a program of generic research to improve water reactor safe- 
ty. and assume a substantial responsibility in the area of accident prevention 

to supplement other programs designed to reduce the likelihood of nuclear power 
plant accidents. (p. VI-5) 


I. Potential Accident Initiators and Their Prevention 


For many years it has been well known that the occurrence of certain incidents 
during the operation of a nuclear power plant could start a chain of events leading 
to fuel damage and accidental release of radioactivity, if not responded to cor- 
rectly. It is convenient to classify such events into those having external causes 
and those resulting from failures inside the plant. Risk analyses generally con- 
clude that among the external causes, large earthquakes are the most likely to 
cause a serious accident. Other causes considered in safoty analyses are floods, 
wind storms, external fires or explosions, and somet’ <s i.plane crashes. Among 
the internal events considered are failures in the pr sry system boundary, antici- 
pated or unanticipated transients requiring shutdown of an operating plant, and 
human errors. (Human errors are discussed in Section V.) 

A. Internal Initiators 


The main cooling system of a light water reactor (LWR) contains water at high 
temperature and pressure. If the pressure system boundary should leak or fail, 
water and steam would be rapidly ejected and a loss-of-coolant accident would be 
initiated. The outcome of such an event would depend upon the effectiveness of the 
emergency safety features of the plant in coping with the event. 

Another broad class of initiating events is termed transients. These are 
events that would require plant shutdown, and thus the plant shutdown system must 
operate effectively and then the decay heat removal system must dissipate the heat 
generated by the radioactive decay of the fission products. Both classes of events 
are considered here. 
le The Primary Pressure Boundary 

a. General Considerations 

The reactor pressure boundaries of LWRs have been a major subject of atten- 
tion. Most safety-related R&D programs emphasize pressure boundary integrity, pos- 
sible degradation mechanisms, nondestructive examination (NDE) techniques for in- 
specting the pressure boundary, and loads, particularly under faulted conditions. 
Programs on functional performance of pumps and valves under extreme conditions 
have been relatively limited and deserve more attention. The areas of mechanical 
components and structural safety have substantial overlaps with regard to seismic- 
ity, load combinations, codes and standards, and behavior under transient and acci- 
dent loads other than seismic; the programs are well conceived and ‘ave been meet- 


ing their goals. 


The NRC fracture mecharics program needs to be examined in the context of na- 
tional and international work in linear-elastic fracture mechanics (LEFM), elastic- 
plastic fracture mechanics (EPFM), and general yield fracture mechanics. Taken 
separately, the NRC program alone is considered inadequate; however, the overal] 
coverage nationally and internationally is excellent. LEFM has been applied di- 
rectly to nuclear systems for some time. It is recognized that there is substan- 
tial overlap among programs on EPFM, but this overlap is considered acceptable in 
such a relatively new field. The progress in EPFM has been rapid, and this method- 
ology should be ready for application within a year. The ultimate test will be 
found in application to real systems. 

Intergranular stress corrosion cracking (IGSCC) in austenitic stainless steels 
has been a major problem for BWRs and it has occurred in some PWR piping to a lim- 
ited degree. Extensive research on this topic has been funded by NRC, EPRI, and 
industry (e.g., the BWR Owners Group). The phenomenology of IGSCC is now fairly 
well understood as are materials optimized to eliminate IGSCC in new piping sys- 
tems. An area that has also been investigated extensively has to do with actions 
that might be taken to minimize IGSCC in existing systems. These actions include 
rigorous control of water chemistry, and means to reduce stress levels in sensi- 
tized regions (near welds). An example is the application of induction-heating- 
Stress-relief (IHSR) pioneered in Japan, to piace the inner surfaces in the heat- 
affected zone in compression. Despite extensive research and actual plant applica- 
tions in Japan, there is still some question by the NRC staff regarding the degree 
of stress reversal attained. Some programs to further quantify the value of the 
process and to qualify it could be of value. 

The steam generator tube degradation/integrity work is a part of a larger 
overall program funded nationally and internationally. The industry research pro- 
gram has led to a reduction in the rate of tube damage and required tube plugging. 
Several reactors have units with degraded steam generator tubing. These units will 
probably continue to operate until the number of tubes plugged is excessive. One 
area that has not been considered sufficiently using recent accident analysis codes 
is estimation of the consequences of a transient or some other failure that might 
lead in turn to the failure of a significant number of tubes. Such failures could 
lead to the degradation of ECCS function. 


Programs should be funded to apply the best available analyti- 
cal methods to the assessment of effects of failure of degrad- 
ed steam generator tubing on reactor transients and accidents. 


Jo 


The final area relevant to the pressure boundary is nondestructive evalua- 
tion. The extensive programs need to be examined in the context of other national 
and international programs. Programs are generally very good, with good rapport 
among the NDE community. The work seems to be progressing well toward adequate 
resolution of all issues. Adequate methods are becoming available, but extensive 
validation campaigns are needed to get code approvals and/or to support NRC accep- 
tance while the code approval process is carried through. 

b. Pressure Vessel Rupture 

Analyses some years ago by AEC and ACRS resulted in the conclusion that the 
probability of reactor pressure vessel rupture was acceptably low. Recent reactor 
occurrences have, however, drawn attention to a possible RPV failure mechanism, not 
analyzed in the past, which is called cold repressurization. 

Significant risk from cold repressurization in reactor pressure vessels could 
appear near end of life for some vessels. The initiating incident might be a par- 
tial blowdown of the PWR secondary side. If there were a flaw in the reactor pres- 
sure vessel beltline near the inner surface, if the vessel had undergone severe 
radiation damage in its beltline, and if the cooling rates were sufficiently rapid 
to generate high tensile loads around the flaw, fracture might in principle occur. 
Major programs are planned or are underway by NRC and industry. One area of possi- 
ble inadequacy is in the ability of NDE to detect flaws near the inner surface. 
Much of the development of ultrasonic systems optimized for detection in this 
region has occurred in Europe. The problem is one of quantification of reliability 
and validation for code approval rather than a feeling that no UT systems exist 
capable of reliable detection. 


. The possibility of cold repressurization of reactor pressure ves+ 
sels that have undergone large shifts in nil ductility transition 
temperature provides a potential mechanism for a major failure of 
the pressure boundary. The substantial programs underway or in the 
advanced planning stage should be funded and coordinated to assure 
that the issue is resolved in a 1-3 year time frame. 


c. Effects of Water Hammer 

An issue of continuing importance is the effect of water hammer and water 
Slugging on PWR and BWR piping systems. Water hammer incidents which have caused 
damage to piping, valves, valve operators, etc. have been extensively reviewed; 
however, research aimed at assessment of the severity of water hammer required for 
damage, and corrective measures, has been quite limited. Little is known concern- 


ing the probability of initiating a LOCA by water hammer. 


- NRC programs should be established to determine the mode and like- 
lihood of severe damage by water hammer, to permit engineering so- 
lution to prevention of damage to the plant and especially safety- 
related systems. 


d. Valves 

Valves represent a major possible source for the initiation of accidents, not 
so much by structural failure, but through loss of function. Definitive studies 
have been conducted on modes by which valves fail; however, little has been done 
to develop measures to minimize functional failure. Corrective action will re- 
quire definitive research programs and close rapport with valve manufacturers. 
Establishment of this rapport is recognized as very difficult but necessary. 


: Industry or DOE programs should be established to develop valves 
with more reliability of function under normal and abnormal operat- 
ing conditions. 


e. Pipe Design for Seismic Loads 

A common complaint from utilities is the adverse effect that conservatisms in 
seismic design have had on piping systems. Conservatism in damping factors used to 
calculate response of piping to earthquakes has initiated a chain reaction adverse- 
ly affecting maintenance, in-service inspection, and general piping reliability. 
Current regulations result in such a large number of supports and snubbers to com- 
ply with postulated seismic loads that it is difficult for maintenance or in- 
sc ice inspection personnel to obtain access to piping. Furthermore, the rigidity 
of the systems leaves little margin for errors in installation. The NRC Seismic 
Safety Margins Research Program (SSMRP) has as one objective the assessment of be- 
havior of piping under seismic loads. Previous programs have confirmed that large 
damping factors exist under loads, and have also developed inelastic response com- 
puter codes. These programs indicate the advantages of basing design on meaningful 
inelastic response rather than on conservative elastic response. Available records 
on petrochemical plants confirm that seismic loads rarely, if ever, have failed 
piping of diameter greater than 4 inches when such systems are left flexible and 
where little attention has been paid to seismic design. Increased flexibility in 
nuclear service should result in increased overall safety through better mainte- 
nance and in-service inspection and through design to conditions more forgiving 


under stress. 


- A program should be undertaken to examine the relative safety mer- 
its of rigid versus flexible seismic design of piping. The program 
Should consider allowance for inelastic behavior of piping and 
evaluate the potentially adverse impact of an excessive number of 
hangers and snubbers on in-service inspection and the possibility 
of crack initiation during normal operation due to snubber mal func- 
tion. 


f. Decontamination of the Primary System 

The primary system of an LWR becomes contaminated in service by the deposition 
of films of corrosion products consisting predominantly of iron and nickel hydrous 
oxides, with an appreciable amount of cobalt as the most important radionuclide. 
During sustained operation of the reactor, a progressive and irreversible increase 
in the level of radioactivity in the primary piping and equipment occurs, which 
prevents or inhibits "hands-on" access to these components after the reactor is 
Shut down. Substantial research and development have been undertaken by industry 
over the years to understand the chemistry and to remove (decontaminate) the accu- 
mulated deposits. 

An integrated research and development program is needed to establish tech- 
niques and procedures for routine on-line decontamination of commercial power reac- 
tors. 

If such demonstrated techniques could be used industrywide, there would be 
fewer plant outages, better equipment surveillance and maintenance, enhanced safety 
of the primary system, and a major and urgently needed reduction in exposure of 
plant personnel. 


DOE and industry should now proceed with the long-planned, compre- 
hensive program to develop and demonstrate primary system decontam- 
ination techniques applicable to LWRs. This program should include 
techniques which reduce the initial deposition of radioactive 
materials. 


An important large pilot demonstration to decontaminate the primary system of 
Dresden-1 has been delayed several years by regulatory problems. These should he 
resolved promptly by NRC. DOE should give high priority to this demonstration and 
Support the follow-on, full-scale decontamination of Quad City-1 using the dilute 
solution approach to be demonstrated at Dresden-l. 


The proposed decontamination demonstration at Dresden-1 should be 
undertaken expeditiously. 


Because of a difference in reactor water chemistry, a low concentration pro- 
cess is more applicable to BWRs. Significant and encouraging progress has been 
made at the PNL.decontamination test facility which indicates that the advantages 
of the low concentration process can be extended to all LWRs. 

Compatibility of the decontaminating solution with primary system components 
must be demonstrated, as well as practical and safe methods of disposing of the 
spent solutions. A large R&D program involving industrial and academic laborator- 
ies will be needed. 


. Research programs to develop low concentration decontamination pro- 
cesses for both BWRs and PWRs should be continued and expanded. 


2. Operating Transients 

Plants are typically shut down about five or more times a year, sometimes for 
planned reasons, but just as often for unexpected reasons. For the most part the 
unplanned shutdowns are caused by such events as turbine trip and loss of feed- 
water. From long experience such events have come to be expected, and little fur- 
ther research is needed to understand them. However, two unusual types of tran- 
Sient do warrant further study: station blackout (i.e., loss of all AC or DC 
power), and events initiated by complicated interactions between the plant control 
Systems. 


a. Loss of Electric Power 

The possibility of complete loss of electric power supply, either DC or AC, is 
a significant contributor to total risk for PWRs. In the larger context of protec- 
tion of the plant itself, the reliability of electric power is vital to ail nuclear 
power plants, because extended failure would lead to severe damage to the core. 
Improvement of reliability of electric power, either offsite or onsite, would prob- 
ably be the most effective way to reduce risk to the public and to the industry. 

It is therefore somew irprising that no research to improve the reliability is 
included in any of t! jrams the Review Group has considered. 

A reasonable first course would be to review carefully the fault trees that 
analyze electrical failure, to determine which problems are most important and 
which are most amenable to remedy. A modest program to improve reliability should 
evolve naturally, and it could be highly cost-effective in reducing risk. Some 
possible alternatives that might develop are improved diesel generators, alterna- 
tives to improved diesels, portable generators with tie-on locations, instrumenta- 


tion for DC battery banks, automatic testing for weak cells in battery banks, etc. 


/ 


- A program should be initiated to develop and evaluate methods of 
providing more reliable electric station power, both AC and DC. 
Such a program would have significant value and an excellent cost- 
benefit ratio. 


b. Plant Control System Interactions 

The traditional approach to LWR design has been to require that reactor pro- 
tection systems be “safety grade," but to impose no special requirements on other 
control systems. In recent years, severel severe or potentially severe transients 
in LWRs have been initiated by control system failures. Also, it has been recog- 
nized that, in some cases, control system failure might not only cause a challenge 
to safety systems but also negate or complicate the efficacy of some of the safety 
systems needed for the transient under consideration. 

Research is needed to better define the role of plant control systems in LWR 
safety so that those changes which are important to safety can be made. 


. Research on the role and importance of plant control systems in LWR 
Safety should be greatly augmented. 


3. Other Internal Initiators 

a. Fires 

Since the fire in the Browns Ferry plant, considerable NRC attention has been 
aimed at reducing the likelihood that fire will cause serious accidents. There 
seems to be no need for any expanded research in this area. 

b. Sabotage by an Insider 

The matter of how and when to include design measures and/or other require- 
ments to protect against sabotage by an insider is complex and requires careful, 
detailed study if a nearly optimal approach is to be developed. The NRC has com- 
pleted some scoping studies on this matter. The next step in instituting a system- 
atic and sufficiently detailed examination and evaluation of possible approaches to 
development and adoption of NRC criteria on this ratter should be given the neces- 
Sary priority in the NRC safety research program. 


The NRC should undertake the studies needed to develop design meas- 
ures and/or other measures which protect against sabotage by an 
insider while not compromising safety in other respects. 


/S 


B. External Initiators 
1. Earthquakes 


Many probabilistic analyses conclude that earthquakes are an important con- 
tributor to the overall risk. The validity of this conclusion is hard to assess 
because of the large uncertainty associated wit earthquake analysis. The uncer- 
tainty appears both in estimates of the frequency vs magnitude of large earthquakes 
and in estimating the probability of damage by earthquakes of a given magnitude. 
Comments on research needed to address these issues are noted in other sections of 
this report, particularly in the discussion of piping and probabilistic risk analy- 
Sis. Estimates of the risk from large earthquakes show a great sensitivity to as- 
Sumptions as to the size of the largest possible earthquakes in a given seismic 
region. 


. The prediction of earthquake magnitude as a function of frequency 
still has significant uncertainties and is an important area for 
further research. 


2. Floods 
Methods for estimating the flood level as a function of flood frequency are 
Still uncertain. 


Research aimed at developing more realistic predictions of flood 
level as a function of flood frequency is warranted. 


3. Wind 
The frequency of tornadoes is well known from weather records. The wind load- 
ings and the impact of wind-driven missiles have been well studied. Further re- 
search is not needed in this area. 
4. External Fires and Explosions 
The effects of fires and explosion from sources outside the plant will gener- 
ally have to be dealt with on the basis of engineering judgment. No research is 
needed in this area. 


II. Response to Accident Initiators 


As implied in the previous section, the first level of defense against acci- 
dents is to design, build, and operate the plant so as to reduce the frequency of 
possible accident initiators. The second level of defense is provided by plant 
systems designed to respond to initiating events and terminate their effects before 
Serious damage occurs. The plant contains a number of systems designed to respond 
automatically to a variety of initiating events. Most important among these are 
the reactor shutdown system, the emergency core cooling system, and the heat remov- 
al system. On a longer time scale (greater than about 10 minutes) the operator is 
also required to respond. 

A. The Reactor Shutdown System 


All reactors are required to have a quick-acting highly reliable system to 
stop the chain reaction. This is accomplished by rapid (a few seconds) insertion 
of neutron poisons called control rods into the core. In addition, LWRs have more 
slowly acting systems which inject boron-containing liquids into the primary cool- 
ant. The effect of these poisons on the chain reaction is well understood. The 
principal question remaining is just how reliably these systems function. Comments 
on the need for developing better techniques for estimating the failure rate of 
highly reliable systems are made in Section V. 

B. ‘ihe Emergency Core Cooling System 


Following a rupture of the primary system boundary, it would be important to 
add water to the system to make up for the water lost out of the break. For large 
breaks, large volumes of water at low pressure would be required, while for smal] 
breaks, small volumes of water at high pressure would be required. 

l. Large Loss-of-Coolant Accidents 

The large loss-of-coolant accident has been studied in great detail for wel] 
over a decade. Elaborate thermal-hydraulic codes have been developed and checked 
against experimental measurements. The most pertinent full system measurements 
came from the LOFT tests. There is now little doubt that the current NRC methods 
of determining the effectiveness of the systems for coping with large loss-of- 
coolant accidents are very conservative. 

The LOFT program to study loss-of-coolant accidents (LOQCAs) in @ smal] PWR was 
initiated in 1962. The program was redirected in 1967, and in 1969 LOFT was rede- 
Signed to include features that model the emergency core cooling system (ECCS) 


of a large PWR. Two nuclear-powered testis of large-break loss-of-coolant accidents 


/7 


had been run by May 1979, showing that the ECCS gave results even more favorable 
than expected. The facility has since been used to study transients and small- 
break LOCAs. Thus, the original purpose of the program has been largely fulfilled 
and the facility has also been useful in working on questions raised by the IMI 
accident. 

The LOFT program has been a success in that it answered satisfactorily the ma- 
jor question of reactor safety for which it was designed, but it does not directly 
address the key safety problems that are apparent today. The Review Group is re- 
luctant to suggest termination of a facility with such a capable staff and one that 
represents a large capital investment. But the expense of its operation leads to 
the conclusion that it is no longer a cost-effective facility. It is unlikely to 
uncover any major new safety issue. The Review Group has identified a number of 
high priority areas in which research results are badly needed, and for which the 
resources saved througn phasing out LOFT should be applied. 


The LOFT program should be phased out in an orderly manner. The Re 
view Group is divided on whether the experimental program for LOFT 
Should be completed in FY-82 or FY-83. 


Semiscale is a small mockup of portions of a PWR system. It is versatile and 
capable of performing experiments on a short-time schedule. It has limitations in 
size and ability to provide a representative configuration of PWR components, but 
it is an important facility for carrying out thermal-hydraulics tests. The opinion 
of industrial representatives is divided on the usefulness of Semiscale, although 
there is support for a modification that would mock up the once-through steam gen- 
erator system of Babcock and Wilcox. The cost of operating this system is small 
enough that we fee! its support for the study of thermal-hydraulic phenomena asso- 
ciated with los olant accidents should be continued. 

2. Small Loss- olant Accidents 

The Reactor Safety Study indicated that the smal] LOCA is a greater contribut- 
or to risk than the large LOCA. The ability to analyze the smal] LOCA has not kept 
up with the ability to analyze the large LOCA, in part because of the long comput- 
ing machine runs required and the resulting buildup of calculational error. In 
addition, the integral LOCA experiments in the NRC program were designed to test 
calculations of large LOCAs, and are not well suited to smal! LOCAs. 

The amount of damage to the reactor core from a small LOCA will be very sensi- 
tive to the extent and duration of uncovering of the fuel. Some levels of the boil- 
ing boundary below the top of the fuel can be tolerated for some time, but the 
specifics are still more uncertain than is desired. An NRC program to clear up the 


uncertainty is definitely needed. 


18 


- The NRC program on the small loss-of-coolant accident should be 
continued, to the point where capability to answer important 
questions of thermal-hydraulics and fuel performance is assured. 


C. Decay Heat Removal Systems 


Following shutdown of a nuclear plant, the radioactivity in the core continues 
to generate substantial amounts of heat. To prevent fuel damage, this heat must be 
removed. The decay heat removal system has this function. Risk analysis indicates 
that potential failure of this system is an important contributor to the overal] 
risk. 

From operational experience, probabilistic risk assessments, and detailed de- 
Sign reviews of specific plants, it is clear that significant improvements in LWR 
safety could be achieved through improved, more reliable, shutdown heat removal 
Systems. Several countries, including Germany and Switzerland, have required not 
only highly reliable shutdown heat removal systems but in addition a dedicated 
bunkered system which provides backup to a loss of all normal offsite and onsite 
emergency power, and also protection against fire or sabotage. Conceptual design 
Studies of the various principal design alternatives for new and existing LWRs are 
needed in sufficient detail for development of design and/or performance criteria 
for improved shutdown heat removal systems. 


° A major effort should be undertaken to develop and evaluate improved 
or alternate approaches to more reliable shutdown heat removal sys- 
tems, for both the reactor vessel and the containment. 


D. Operator Response 


The correct operator response to unexpected events depends in large measure on 
his understanding of the system and on how unambiguously the information presented 
to him portrays the actual situation in the plant. The accident at TMI revealed 
problems in both these areas, particularly with regard to understanding unusual 
transients. 

1. Engineering Simulation 

The Department of Energy has been instructed by Congress to study the possible 

usefulness of a national reactor engineering simulator facility. Most technical 


groups have expressed doubt as to the usefulness of such a facility, a view which 
this Review Group shares. However, the Review Group does favor a program to devel- 
op one or more national system analysis facilities for LWRs. Principal emphasis in 
the program would be placed on the development of methods to improve present capa- 


19 


bilities in system modeling, analysis of severe accidents, and ability to compute 
in real time or faster. Such simulation facilities would not include a full-scale 
contro] room mockup, nor would they be intended for emergency response applications 
or for operator training. Compromises between physical accuracy and computer run- 
ning time might be necessary to enable the simulation facility to be used to study 
large numbers of transients. Such important questions as design alternatives and 
the effects of operator interaction could be explored parametrical ly. 

Such a system simulation facility(s) should be useful for studies by reactor: 
designers, reactor regulators, and the technical support groups of nuclear utili- 
ties. The last group could obtain important generic insights, not now available, 
from simulators or from actual operational experience. Ultimately, this knowledge 
base would be reflected in the education and training of reactor operators and su- 
pervisors. 


- A national LWR system simulation program should be undertaken co- 
operatively by DOE and NRC. This program would treat both PWRs and 
BWRs generically. The principal goal should be the development of 
computational capability to study LWR behavior in real time or faster 
through a wide range of severe transients including accidents involving 
extensive core damage. 


2. Validated Data 

The information presented to the operator should be clear and unambiguous. 
Considerable work is underway by the industry and the NRC on developing effective 
means for presenting pertinent information to the operator. These are commented on 
in Section V. However, experience has shown that an important potential source of 
error occurs when incorrect information is presented to the operator because of in- 
strument error. Significant industry effort is now addressing this issue. There 
seems to be no NRC work in this area. 

One way in which the reliability of information to the operator can be import- 
ant to safety is illustrated by the transients involving power supply failure to 
non-nuclear instrumentation at the Rancho Seco, Oconee, and Crystal River plants. 
The specific source of difficulty in these cases is being remedied, and current 


development of parameter display systems may alleviate concerns of this kind. 


However, other potential scenarios remain, including those associated with a large 

earthquake near the plant, for which the reliability of information supplied to the 
operator might have safety implications. Hence, a reasonably comprehensive exami- 

nation of this subject should be undertaken. 


. A broadened research program should be undertaken on the safety 
implications of the reliability of information provided to the 
operator. 


E. Rulemaking on Minimum Engineered Safety Features 


The NRC is planning a rulemaking hearing on minimum engineered safety fea- 
tures. It is important that a detailed review be carried out to assess the infor- 
mation needs for this hearing, and that any research programs needed to provide 
additional information on a timely basis be identified and started quickly. 


The NRC should promptly identify those information needs of the rule- 
making on minimum engineered safety features of future LWRs that can 
be supplied in time by safety research, and assign the necessary 
priority and resources to this task. 


III. Fuel Damage and Mitigation of Its Effects 

The general topic of damage to nuclear fuel as a result of potential accidents 
is divided into three parts: 1) the fuel damage process itself, 2) the release of 
radioactivity from the fuel and its transport to the containment boundary, and 3) 
the effectiveness of the containment at preventing the release of radioactivity 
under loads caused by various postulated accidents. 
A. The Fuel Damage Process 


The topic of fuel damage covers a wide range of possible conditions, from per- 
foration of some of the cladding to total melting. Some minor cladding failure and 
cracking could result from thermal stresses and other effects of normal operation, 
including anticipated transients. Serious failures of the cooling system could 
result in various degrees of overheating that would lead to gross cladding failure 
and eventually to deterioration and melting of the fuel itself. 

The possibility of damage to the fuel is a major safety issue because under 
normal conditions the U0 fuel pellets form an effective trap for most radioactive 
fission products. Thus any large release of these fission products would be pre- 
ceded by serious damage to the fuel. 

1. Normal Operation and Anticipated Transients 

Safety-related research on this item is needed to maintain a low probability 
of fuel element failure despite plans to increase the burnup routinely achieved 
with LWR fuel. Low failure frequency limits the amount of radioactive material in 
the primary system. This facilitates maintenance, repair, and in-service inspec- 
tion, and therefore helps to keep the integrated occupational man-rem dose at a low 
value. A lower inventory of radioactivity in the primary system would also reduce 
any offsite release from certain postulated minor accidents, such as steam genera- 
tor tube rupture. It would reduce some problems in waste handling. 

In addition to an extension of the current research and development on pel let- 
clad interaction to higher burnups, consideration will have to be given to any pos- 
Sibility of change in the release characteristics of fission gas from the U0o fuel 
pellet during anticipated transients in reactors containing higher burnup fuel. 
Research in these areas is related to work historically conducted either by indus- 
try or under DOE and its predecessors. 


- Research on fuel element behavior during normal operation and antici- 
pated transients should be the responsibility of the nuclear indus- 
try, or be part of a program of generic studies supported by the De- 
partment of Energy (DOE). 


2.  Super-Prompt-Critical Bursts in Power 

This was of considerable interest in the 1960's when reactivity insertion 
accidents in LWRs appeared to have the potential for bringing a significant amount 
of oxide fuel beyond the melting point, perhaps to the vaporization point, thereby 
possibly generating damaging pressure pulses and disruption of the core. However, 
design changes have made reactivity insertion accidents of this magnitude and speed 
highly improbable in LWRs,. and recent analyses have indicated that for some of the 
reactivity-insertion accidents still receiving consideration, the power burst would 
be terminated sooner than was previously calculated. 

Hence, it does not appear that additional research in this field is required 
at this time. 

3. Local Melting of Fuel Pins at Power 

It has been suggested from time to time that if melting of a significant por- 
tion of a subassembly were to occur at high power through flow blockage or some 
other cause, the event might propagate. Research was deemed necessary to ascertain 
the reality of such a possibility, and the time scale for detection of the fuel 
melting and any required mitigative action. 

The flow blockage issue is essentially confined to boiling water reactors, 
whose fuel assemblies have side walls isolating each assembly from its neighbors. 
The General Electric Company has analyzed such an event, assuming that for some 
reason one full fuel assembly was blocked, and has concluded that timely detectio: 
of the event and shutdown cf the reactor would occur, with no significant potential 
for rapid propagation. The possibility of performing experiments in the Power 
Burst Facility (PBF) to examine the matter further has been proposed, but, as of 
now, no such experiments have been scheduled. Additional insight may arise from 
the experimental program related to degraded and molten cores, which is discussed 
below. 

4. Degraded and Molten Cores 

Although recommendations that research was needed on phenomena related to de- 
graded and molten LWR cores were made as many as fifteen years ago, it was the ac- 
cident at Three Mile Island that provided the impetus for initiation of an NRC re- 
search program on this matter. The question is complex, since many different kinds 
of phenomena are involved, and the situation could in principle be caused by many 
different initiators, each with its own circumstances. 


oF. 


It will be useful to structure the consideration of degraded LWR cores by 
classifying conceptual accidents into two categories: (1) accidents that would be 
terminated before a large part of the core had melted (TM!-2, for example), and (2) 
accidents that- would cause the entire core to melt, threatening the integrity of 
the reactor vessel and subsequent release of the core to the containment building. 

The longer term research programs addressing the first category should be de- 
veloped in light of two important classes of questions: 

(1) Could research significantly influence the course of an accident in which 
choices available to the operator might affect whether the accident is successfully 
terminated? If so, how? What research might be done? Is the research feasible 
technically and financially? How might its usefulness be achieved? 

(2) Can research on fuel performance prior to extensive melting lead to im- 
proved design of new LWRs or changed designs of existing LWRs? If so, how? How 
reliable and accurate will estimates of the improvement be? 

In the more immediate future, programs may be necessary to ensure to the 
fullest extent possible a base of information for the degraded core rulemaking 
hearing. 

A similar set of questions must be addressed by that part of the research pro- 
gram that considers phenomena related to molten cores: 

(1) Could research on fuel behavior in the reactor vessel during a core melt 
accident significantly infiuence the management of an actual accident? If so, how? 

(2) Could research on fuel behavior in the reactor vessel during a core melt 
accident significantly affect the design of current or future LWRs? If so, how? 

(3) Are there other objectives of such research than accident management or 
design changes? 

Of course, research programs on degraded cores should also be confined to 
questions whose answers may have real significance, and which can be well enough 
defined. 

The NRC has announced its intention to hold a rulemaking hearing on "Degraded 
Core Cooling" to consider how degraded cores should be addressed in the licensing 
process. Jo prepare for this hearing, the industry has started the IDCOR program, 
to carefully review and analyze all available pertinent data. This information and 
possibly results of new experiments are being used to develop improved analytical 
tools for degraded core issues. It appears that few, if any, results from current- 
ly planned NRC research programs on degraded cores can be expected in time for the 


vd 


hearing. Specific examples of areas with limited or non-existing data relevant to 
degraded cores are factors affecting the extent of core melt, gross clad damage, 
change in fuel geometry, and coolability of degraded cores. Some additional exper- 
imental and analytical studies could still be initiated and conducted in time to be 
useful for the hearing. Consideration should be given to establishing priorities, 
with this objective as the highest priority. Care should be taken not just to 
duplicate work of the IDCOR program. 


- The NRC should promptly identify that information which it needs for 
the degraded core cooling rulemaking and which safety research can 
Supply in time for the hearing. It should assign the priority and 
resources to get the job done, deferring, if necessary, other less 
urgent degraded cure safety research. 


5. Three Mile Island Recovery 

A careful experimental study of the seriously degraded core in TMI-2 would 
provide very valuable information on many aspects of core degradation for use in 
future analysis of such accidents. It is important that enough support be avail- 
able to obtain the unique information that can be found by detailed examination of 
this damaged core. It is recognized that the severe institutional and financial 
problems impeding TMI cleanup must be solved to make this possible. The longer the 
inspection of this core is delayed, the less trustworthy and the less valuable wil] 
be the results of the examination. 


Ample federal funds should be made available for developing timely 
information through examining the degraded core in TMI-2. The cur- 
rent program of DOE to carry out such investigations should be sup- 
ported. 


6. Power Burst Facility (PBF) 

The PBF is a facility unique in this country for the study of fuel failure 
mechanisms. It provides a service essential to determining damage to an order of 
magnitude or better as a precursor to inserting more sophisticated experiments into 
such facilities as NRU or ESSOR. Unless such scoping studies are done beforehand, 
approval to insert such experiments in other reactors could be difficult or impos- 
sible to obtain. For this reason and because of valuable data from the scoping 
experiments themselves, continued support of PBF is desirable. 

On the negative side, some of the recently proposed programs for PBF appear 
i111] conceived and could lead to misinterpretations. This is particularly true of 
experiments aimed at extrapolation to full core behavior. Such extrapolations 
could lead to results which are either much too conservative or much too optimis- 
tic. The program now proposed should be reviewed for its relevance and modified 
accordingly. 


OS 


——_ — 


- Power Burst Facility operation should continue; however, the proposed 
NRC programs relevant to degraded cores, etc., should be reviewed 
critically and modified as necessary. 


B. Release and Transport of Radioactive Material* 


Understanding of the nature of the risks from potential reactor accidents de- 
pends heavily upon estimates of the form and amount of radioactivity that might be 
released from the reactor containment building under a variety of postulated acci- 
dent conditions. This area can be subdivided into three parts: 

(a) The amount and form of radioactivity released from the fuel itself under 
various conditions of degradation, which will be called the fuel release process. 

(b) The amount of removal of radioactivity by plateout, washout, or agglomer- 
ation that takes place during transport from the fuel to the containment barrier, 
which will be called the radioactive transport process. 

(c) The modes of containment failure and their effect upon the fraction of 
the radioactivity that is released to the environment, which will be called the 
containment failure process. 

1. Fuel Release Process 

The risk from reactor accidents is thought to be dominated by those failures 
that would produce serious degradation of the fuel from overheating or melting. 
Current estimates are based mainly on the Reactor Safety Study (WASH-1400) which 
contained analyses performed between 1972 and 1975. The WASH-1400 report assumed 
that in the most serious core melt accidents, well over 50% of the most volatile 
fission products would be released to the primary system. It also assumed that up 
to 10% of the less volatile fission products would be released from the fuel. 
These assumed fractions were based upon laboratory experiments on very smal] 
amounts of U02. It was noted in the WASH-1400 study that these values were proba- 
bly conservative. However, a review of the TMI accident and other fuel failures 
indicates that during such incidents high release fractions of such volatile elem- 
ents as Cs and I are not only possible but likely. It has been suggested by some, 
though, that the physical and chemical form of the released radioactivity can have 
a large impact on the transport processes. In this regard, the question of whether 
the iodine is released as elemental iodine or as the compound CsI may be of impor- 
tance. A second question of importance is the size of aerosol particles released 
and the aerosol density. 


* This topic is often referred to as "the source term." In fact, each accident 
scenario has its unique source term. 


2. The Radioactive Material Transport Process 

Radioactive gases and aerosols released from the fuel would have to pass 
through part of the primary system and then into various compartments in the con- 
tainment structure to pose an increased threat. During this process, there would 
be potential for plateout on cold surfaces, agglomeration of aerosols into heavier 
particles which may settle out, or washout by contact with water. For the very 
worst accidents considered in WASH-1400, it was assumed that a relatively smal] 
fraction (less than half) of the radioactivity released from the fuel would be re- 
moved by these processes. The method used for estimating the fraction of radio- 
activity removed by these processes in WASH-1400 may be conservative for many of 
the accident sequences. This is important because if the estimate of releases of 
all the major isotopes other than the noble gases were reduced by a factor of 10 or 
more, the calculated number of acute fatalities would go to zero in every case, and 
there would be a substantial reduction in other health effects as well. However, 
for this to change the current view of the nature of reactor accidents, it would 
have to be established not only that the removal fraction is larger but that it is 
larger in all the important accident sequences. Research on this transport process 
should receive a high priority, and should include analysis of transport of fission 
products in real accidents that have occurred. The following areas are particular- 
ly in need of investigation: 

(a) Plateout in the primary system. 

(b) Washout by sprays or passage through suppression pools and ice condens- 

ors. 

(c) Rates of agglomeration of very high density aerosols. 

(d) Deposition on wet containment surfaces. 

(e) Removal during passage through containment fractures. 

The NRC has recognized the importance of this issue and recently issued a 
report entitled “Technical Basis for Estimating Fission Product Behavior During LWR 
Accidents," NUREG-0772, June 1981, which points out the importance of these removal 
processes, but concludes that existing knowledge does not warrant major changes in 
the WASH-1400 values of the removal fractions. In addition, NUS Corporation under 
contract to DOE is reviewing these issues and suggesting research to resolve them. 
A report containing their recommendatioiis is to be published shortly. Finally, in 
preparation for the announced NRC Degraded Core Cooling Hearings, the industry has 
organized a major review of these issues in their IDCOR program. 


of ) 


The NRC, DOE, and industry have ongoing programs to provide improved 
understanding of radioactive releases possible after severe reactor 
accidents. These should encompass a range of conditions and accident 
scenarios sufficient for broad understanding of the processes of 
transport and release of the important radioactive isotopes. The NRC 
program should provide as much information as possible for the 
degraded core cooling hearings. There is also a need for a long- 
range program in this area. 


C. Containment Effectiveness 

As would be expected, accidents with major offsite consequences can occur only 
if the containment fails. Thus, the causes of possible containment failure and the 
failure mechanisms themselves are very important to reactor safety. The failure 
modes could be of three types: 


(a) Failure to isolate. 

(b) Failure due to excessive internal pressure from static or dynamic loads. 

(c) Failure due to melt-through by the molten core. 

Failure to isolate refers to failures of the systems that are intended to seal 
the containment under upset conditions. These failures could result either from 
equipment (hardware) failures or from human failures either in maintenance or oper- 
ation of the system. 

Overpressure failures could result from a gradual buildup of steam pressure 
due to a failure of containment heat removal following a serious system failure. 
They might result from a sudden pressure surge caused by hydrogen detonation or 
burning, or from a sudden large steam release. 

In analyses such as those in WASH-1400, all very large releases are estimated 
to be the result of catastrophic containment failure either before or shortly after 
core melt. On the basis of current knowledge it seems clear that if the contain- 
ment were to remain effective for several hours or more following core melt, sub- 
Stantial reductions in the release fractions would take place. Thus the timing of 
containment failure would also be important. 

1. Containment Isolation 

All containments are designed to isolate as a result of signals generated by a 
wide range of 2b5normal conditions. For overall safety this isolation system must 
be highly reliable. Very careful attention to this issue is expected during the 
design and licensing of the plant. No areas of large uncertainty associated with 


<8 


this process require specific research programs. However, the general comments on 
improvements to probabilistic risk analyses apply to analyses done on this system 
to estimate its reliability. 
2. Overpressure Failure 

During the past decade, most containment research has been focused on sub- 
compartment dynamic loads for PWRs and dynamic loads in BWR suppression pools as 
they might arise from steam relief or a LOCA. Most research on the latter has been 
done by the affected utilities and the reactor vendor, and has progressed reasona- 


bly well. 
A markedly different kind of containment research has arisen as an aftermath 
of TMI-2. Partly as a consequence of evaluation of the capability of various types 


of containment to withstand hydrogen burning, and as a result of the special re- 
views being given the risk from Zion/Indian Point, the failure mode and pressure 
are being calculated for a range of types of loading. Failure point estimates are 
currently being made, on the assumption that the building has been constructed in 
conformance with the design drawings, although for existing plants test values 
rather than minimum code values are sometimes used for the strength of steel or 
concrete. 

The Nuclear Regulatory Commission is developing and implementing requirements 
with regard to hydrogen control capability which frequently take into account the 
existence and effects of pressures well beyond the normal design point. The rule- 
making on degraded cores may lead to a range of new requirements for existing and 
future reactors. Risk-based analysis is likely to become increasingly important in 
decision making, and such analyses will surely include the mode, point, and timing 
of containnient failure. A failure of leak tightness seems much more likely than a 
catastrophic structural failure, but this remains to be assured. It may become 
important in the estimation of failure probability to allow for the possibility of 
flaws in fabrication and construction, deterioration due to aging, and design 
errors. It may become important to determine that pressure below which there is a 
very high probability of retaining containment integrity. 

It appears that it will be necessary to develop a new area of research involv- 
ing a marriage of the techniques currently used by structural engineers with those 
employed by reliability engineers. This research will probably be largely anal yti- 
cal since integral experiments are difficult, expensive, and too limited in their 


range of applicability to be definitive. 


RY 


- The reactor containment is the ultimate barrier providing protection 
of the public in the event of a radioactive release from the fuel. 
The NRC research programs to better understand containment response 
to loads created by postulated accidents are important and should be 
supported. A close coupling vetween structural analysis techniques 
and the methods of probabilistic risk analysis is needed to make bet- 
ter estimates of the probability of containment failure as a function 
of increasing internal pressure. 


3. Effects of Hydrogen 

The possibility of hydrogen generation and release in containments has been a 
recognized safety issue in water reactors for several decades. Problems with safe- 
ty are not limited to cases of major fuel failure in a large LOCA but may be asso- 
ciated with several factors, such as rates and mechanisms of formation, concentra- 
tions for flammability and explosion, and methods of correction and control. 

Questions related to hydrogen were recognized as constituting an early generic 
safety issue which was considered at one point to he resolved by actions taken in 
Regulatory Guides. 

Recently a generic issue on hydrogen was reestablished and promoted to the 
limited list of unresolved safety issues. It was one of four issues reported to 
Congress as new unresolved safety issues in 1981. 

This increased concern with hydrogen has resulted from a variety of factors, 
such as enhanced interest in the effects of degraded cores and the greater implica- 
tions of hydrogen explosion in smaller containments such as the ice condenser. 

The task action plan for attacking the hydrogen problem will be developed this 
fiscal year, and research programs will be established. This program should be 
given priority and pursued diligently. Complementary programs by industry should 
be considered in establishing research scope. The significance of the problem 
should be established in terms of containment design and volume. 


- The NRC is initiating a research program on the issue of evolution 
and burning of hydrogen in accidents. This program is important and 
Should be pursued expeditiously. Complementary programs by industry 
Should be taken into account in structuring the NRC's research pro- 
gram. The significance of containment design and volume should also 
be taken into account. 


4. Alternative Containment Designs 

Alternative containment designs are under consideration that would make the 
containment more effective at coping with loads imposed by postulated degraded core 
and fuel melt accidents. The possibility of requiring such measures in future de- 
Signs will be an important part of the Degraded Core Cooling Rulemaking Hearing. 
It is essential that prior to the hearing the NRC carry out research on the effec- 
tiveness of such measures as containment venting without filtering, containment 
venting with filtering, and core debris retention in reducing public risk. The 
effectiveness of such measures compared to other such possible alternatives as the 
dedicated heat removal system discussed in Section II will be an important issue in 
the hearing that will require this information. 


. The NRC safety research program on mitigation of degraded core and 
core melt accidents should be modified as necessary to provide the 
information needed on alternative containment design concepts under 
consideration, including improved containment cooling, containment 
venting, venting and filtering, core debris retention, and hydrogen 
control. 


IV. Effects of Potential Accident Releases to the Environment and Their Mitigation 


Significant amounts of radioactivity are predicted to be released from the 
containment in the mast serious postulated accidents. It is important to estimate 
the magnitude and likelihood of the possible consequences of such a release, both 
as to public health and the damage to property. This information not only provides 
the basis for risk estimates but is required for establishing the civil protection 
procedures that might be employed to mitigate the consequences. This section con- 
Siders the current state of the ability to analyze the consequences of releases of 
various sizes and types and the impact of proposed mitigating actions. 

A. Distribution of Radioactive Materials 

Analyses of reactor accidents suggest that two pathways should be considered 
for the distribution of radioactivity following an assumed accidental release. By 
far the most important in terms of early health effects and property damage is the 
release of radioactive gases or fine aerosol particles that would be distributed 
under the influence of prevailing weather conditions. The second pathway would 
result from the release of radioactivity into surface or groundwaters. 

1. Meteorological Modeling 

Most analyses have used a version of a “Gaussian Plume" weather model to cal- 
culate the distribution of airborne releases. Many, but not all of these models 
do not allow for changes in wind direction. The computer code CRACIT developed by 
Pickard, Lowe, and Garrick includes a detailed treatment of wind changes. Al]! me- 
teorological models used contain numerous simplifying approximations that affect 


their accuracy; important among these is the treatment of rain. The overall accur- 
acy is probably good for a flat inland site for distances of 5 to 10 miles from the 
assumed release. However, on sites with special topographical features such as 
deep river valleys, the local topography introduces features that compromise the 
accuracy. 

The NRC is planning to fund the development of a new improved version of the 
code CRAC (Consequences of Reactor Accidents Code). The Review Group supports this 
effort and suggests that particular attention be paid to improving the meteorologi- 
cal modeling. The research should include more detailed weather models than the 
"Gaussian Plume" model, and particular attention should be given to including im- 


provements in handling effects of rainfall and local topography. 


- The methods for calculating the influence of meteorological condi- 
tions on the distribution of radioactive material following a postu- 
lated accident should be improved. The NRC effort to do this through 
a new version of CRAC (Consequences of Reactor Accidents Code) should 


continue to be supported. 

2. Hydrological Modeling 

In accident scenarios in which it is postulated that the reactor base mat 
fails following a serious release of radioactive material into the containment, a 
large amount of radioactive material might enter the groundwater. This released 
radioactivity could eventually find its way into water supplies and be the source 
of protracted low-level doses. Because of the dilution by groundwater and the 
longer time scales for groundwater movement, it is highly unlikely that these doses 
would contribute to early health effects. However, most risk analyses suggest that 
such releases might be from ten to a hundred times more likely than a large air- 
borne release. The result is that when the long-term health effects are weighted 
by their probability, the risk may be of the same order as that from airborne re- 
leases. More needs to be known about the distribution of radioactivity by ground- 
water both for potential reactor accidents and for radioactive waste disposal. It 
would be reasonable for the NRC to continue work at a modest level in this area. 
B. Civil Protection Strategy 

All estimates indicate that civil protection actions could reduce significant- 
ly the effects of accidental releases of radioactive materials. Considerable regu- 
latory effort has gone into planning of evacuation. Clearly, if people were moved 
out of the path of the airborne radioactivity they would receive no acute doses. 
However, if they were in the process of evacuation and failed to get out of the 
path of the radioactive cloud they would receive higher doses than if they had 
Stayed inside their homes or offices. Thus, for part of the population a strategy 
of sheltering until the radioactive cloud has passed followed by relocation of 
those in a contaminated area would be the preferred protective action. The NRC has 
sponsored work in this general area and the Review Group supports their continua- 


tion of this work. 

Research in this general area is regarded as important, but the Review Group 
has not examined the full range of activities by federal, state, and local govern- 
ments, and therefore makes no recommendations for specific research that may be 


needed. 


C. Biological Effects of Radiation 

Since the effects of x rays on radiologists were first recognized, it has been 
widely realized that radiation in various forms can have serious biological ef- 
fects. During the last fifty years, extensive research programs have been carried 
out to determine the quantitative effects on a variety of biological systems in- 
cluding man. Although some aspects of the biological effects of radiation continue 
to be controversial in scientific circles, these effects are much better understood 
than those of most of the potertially harmful substances being introduced into the 
environment by man. The current knowledge is sufficient for reasonable, ealistic, 
or bounding estimates of biological effects of radiation caused by reactor acci- 
dents. The largest uncertainty is in the area of the effects of low levels of ra- 


diation. 


The national research programs aimed at a better understanding of the 
biological effects of radiation should be continued at their present 
level. 


D. Economic Impacts of Large Releases 

Estimates of the economic impacts of large accidental releases of radioactiv- 
ity on property show them to be in the same range as large natural disasters. A 
major component of these costs is from decontamination of land. Very little re- 
search activity exists on procedures for decontaminating large land areas, and a 


modest research program is warranted. 


A modest research program into techniques for decontaminating large 
land areas is warranted. 


V. Important General Issues 


In the review of reactor safety, some technical issues were identified that 
were so broad and so pervasive that they did not conveniently fall into any one of 
the preceding categories. These include human error and probabilistic risk analy- 
Sis (PRA). Because of the special importance of these issues, they are discussed 
in this separate section. 

A. Human Error 


Most studies of the likely causes of serious accidents conclude that over 50% 
of the risk is associated with human failure to perform as intended. This observa- 
tion includes human errors in design and construction, in maintenance and testing 
during operation, and, of course, mistakes by operators in response to unusual oc- 
currences. The major goal of research in this area is to reduce the incidence of 
serious human errors. The current program considers three principal ways of doing 
this: 1) through better training of personnel, 2) through better system design, 3) 
through improved procedures. Although some proposed improvements would get broad 
support, many others may be improvements for some events but could reduce the ef- 
fectiveness of dealing with other events. Thus it is important to be able to judge 
the overall impact of any specific change in training, procedures, or design on 
overall system safety. Because of the unpredictability of human behavior it is 
often difficult if not impossible to do this by probabilistic methods. 

A broad research program is needed to improve understanding of the impact of 
humans on system reliability, operability, and safety, and of other factors that 
affect the performance of man-machine systems. While human engineering and the 
man-machine interface have been subjects of particular interest to NASA, DOD, and 
other industries and agencies for a number of years, the subjects received little 
attention from the nuclear industry and the NRC until the TMI accident. Since IMI, 
both NRC and the industry have launched substantial human factors research pro- 
grams, but the present knowledge base is inadequate and more research is required. 

NRC's program plan for human factors research currently includes studies of 
human error rate, review of control room design from a human factors perspective, 
and enhancement of operator selection, training, and performance. The Review Group 


believes that, in general, the work outlined in this plan is useful and important. 


However, the accomplishment of many of the objectives would appear to require more 
resources than are currently assigned to the work. In many cases, the deliverable 
resuits of the research are not well defined. Further, in some areas, particularly 
the human factors aspects of graphic displays and computer aids to reactor operat- 
ors, the proposed work appears to be overly duplicative of ongoing or completed in- 
dustry work. The program associated with LOFT appears to be of maryinal relevance 
for this reason. 

It is important that the regulatory standards, criteria, and guidance that the 
NRC must establish in the human factors area be supported by the best possible 
knowledge base. It is therefore necessary that NRC identify the information it 
needs for developing criteria, standards, and regulatory guides and revise its hu- 
man factors research program as needed to obtain that information. In identifying 
its information needs and revising its programs, the NRC should be cognizant of 
past and ongoing research programs of NASA, DOD, the nuclear industry, and other 
establishments. The revised program should be complementary to and not overly 
duplicative of industry efforts by owners’ groups, INPO, EPRI, and NSAC. 

Finally, althouoh the Review Group recognizes that identifying valid ways to 
measure the effectiveness of human performance will be very difficult, it is a 
critical element that should be addressed in the research program. 


. Probabilistic risk analysis indicates that about half the risk from 
reactor accidents is attributable to human error. The body of know- 
ledge concerning pertinent human factors is inadequate, and it is im- 
portant that further research be done in this area to provide an ade- 
quate technical basis for regulatory activities. The NRC should es- 
tablish relative priorities, so that its research program will be 
structured to obtain the most important information first. The im- 
portant information is that which can be used to improve control room 
design, operator aids, a‘d selection and training of operators, which 
should lead to reduction of rates of human error. Further, the NRC 
program should coordinated with industry efforts. 


B. Probabilistic Risk Analysis (PRA) 

Since the accident at Three Mile Island the use of PRA as a tool for helping 
to unoerstand a variety of safety issues has rapidly increased. This use has 
ranged from estimating the reliability of specific plant systems such as the auxil- 
iary feedwater and scram systems, to complete integrated estimates of overall! plant 
risks similar to that done in WASH-1400, the Reactor Safety Study. The Review 
Group supports this use of PRA techniques as one of the tools for reaching a better 
understanding of plant risks and the reliability of specific systems. 


36 


It must be recognized, however, that the techniques are relatively new and 
therefore there is room for considerable improvement. Three areas needing improve- 
ment are: 1) input data on basic failure rates; 2) treatment of common cause fail- 
ures; 3) analysis of highly reliable systems. 

In many cases the failure probabilities required as input data for any quanti- 
tative analysis are subject to considerable uncertainty. This can be the result of 
limited input data or of inapplicability of the general data to the system under 
analysis. The data on human fai’ure rates comprise just one of a number of cases 
where considerable uncertainty exists. Significant reseach is needed to develop a 
more reliable data base. 

The term common cause failures refers to two or more failures that occur si- 
multaneously as a result of some common cause. This can be the result of an exter- 
nal event such as a fire, earthquake, etc., or of a common design defect. The nor- 
mal analysis of a system first looks for single random failures or combinations of 
single random failures that can lead to system failure. The result of this is 
called the probability of failure by random events. The analyst must then go back 
and look for possible dependencies between these previously assumed random fail- 
ures, and the result is the probability of failure due to common causes. In well- 
designed systems where the probability of failure by random component failure is 
calculated to be quite low (less that one in 10,000 per demand), it is customarily 
found that common cause failures are dominant contributors to system failure. Fur- 
thermore, the various sources of these common cause failures are often subtle and 
hard to identify. Numerous techniques are used to estimate the impact of common 
causes on system failures, but it is commonly recognized that much more research 
needs to be done in this difficult area. 

The analyses of very well-designed systems sometimes predict failure rates in 
the range of one in one million (10-6) to one in one billion (10-9) per demand. 
Although it is possible that such high reliability can be achieved, experience has 
Shown that more often than not such predictions tend to be overly optimistic. Very 
unlikely events tend to be more frequent than these low probability values sug- 
gest. For example, a system out of service for maintenance one minute each year 
has an unavailability of 2 x 10-6 just for that cause. Natural events that may be 


as unlikely as one in a million years could overwhelm probability estimates that 
otherwise are very low. Another area where probability estimates tend to be highly 
uncertain is the probability of damage to systems subjected to large ground mo- 
tions. Much more work is needed in the area of estimating the failure probabili- 
ties of very reliable systems. 

At a time when the number of analyses being requested by the NRC is increasing 
rapidly, it becomes very important to standardize as much as is practical the tech- 
niques to be used. If done with care, this should improve the quality and repro- 
ducibility of the results. 

The NRC currently has research programs addressing each of these issues and 
because of the importance of PRA techniques these programs should be expanded. 


The use of probabilistic analysis is rapidly expanding. A signifi- 
cantly larger research program is needed to improve and standardize 
the methodology as much as possible. Particular areas that need im- 
provement are: methods of handling common cause failures, data col- 
lection and analysis, accuracy of the estimated frequency of very low 
probability events, and assurance of the quality of analyses. 


VI. Organizational and Institutional Comments 
A. NRC Safety Research 
The NRC's safety research program evolved to its present form over an interval 


of about eight years. This form is now responsive to needs as they developed over 
that period. The program is not logically or optimally structured in coverage and 
emphasis to respond to questions of currently perceived urgency. The importance of 
the loss-of-coolant accident in the historical development of the NRC's regulatory 
methods has led to focus of research on this topic, with most of this work devoted 
to the large LOCA. It seems appropriate at this point to change the emphasis of 
the program. Some of this change is underway, and suggestions are made throughout 
this report for additional changes. 

The program heavily emphasizes reduction or prevention of consequences once an 
accident is assumed to have started, since the regulatory staff has itself adopted 
this primary objective. As said below, this emphasis seems appropriate as a guide- 
line, but it should not be rigid. On numerous occasions, NRC research has been 
necessary to improve reactor safety, and without doubt more such instances wil] 
arise. 

Most of the NRC's programs are strong, and together they constitute one of the 
more important research programs in the country, in size, importance, and product. 
The program is broadly accepted by the technical community, especially where it is 
more fully understood and its impact is greatest. The program has substantial ly 
improved the understanding of many of the reactor safety issues it has explorea, 
and it has greatly improved the underpinning of NRC's regulatory actions on light 
water reactors. 

The Review Group found a widely held perception among reactor safety research- 
ers that the results of research do not lead to corresponding changes in regula- 
tions, particularly in those cases in which the results showed the regulations to 
be based on conservative assumptions. Even after discounting the tendency of re- 
Searchers to feel their results are not used enough, this criticism appears to be 
essentially valid. Three examples related to Appendix K to 10CFR50, which resulted 
from the ECCS Rulemaking hearings in 1972-73, stand out. Appendix K has not been 
altered in spite of a considerable body of experimental data from the NRC's own re- 
Search programs showing several of the prescribed features to be very conserva- 
tive. Chief among those is perhaps the decay heat formulation commonly referred to 
as ANS + 20%. This formula, to which the analysis is sensitive, is high by a 


39 


good 25%. Similarly, data obtained since Appendix K was issued show that the zir- 
conium oxidation rate in steam is less than predicted by the prescribed formula- 
tion. Finally, the integral experiments conducted on LOFT indicate that the clad 
temperature rise in a large-break LOCA will be hundreds of degrees below the value 
computed by the Appendix K methodology. 

Although it is probably true that the NRC staff frequently incorporates new 
data into their engineering judgments, more formal incorporation of new and signi- 
ficant results is desirable. It is true that the NRC frequently faces industry 
(vendor or utility) opposition, active or passive, in making regulatory changes 
even when the proposed change would relax the rules. The industry tends to grow 
"comfortable," or it learns to live with a particular regulation. The prospect of 
the procedures involved in a change gives more concern than is compensated by the 
prospect of a relaxed specification. There is a tendency to retain the outdated 
assumptions in regulatory actions to provide extra overall safety margin, even when 
the conservatism has become assured. 


The NRC program is in many areas weak in timely production of results, partly 
because of inflexibility and partly because the requirements for new reseach were 
not recognized sooner. The inflexibility has several origins, which are addressed 
in a recommendation below. 

A basic criticism heard many times was that the Commission fails to set and 
communicate policy direction to the staff. There is even a lack of general in- 
structions to the research staff as to what areas of research are considered impor- 
tant. In the absence of direction, the staff does not have an adequate basis to 
set research priorities and establish schedules which conform to the responsibili- 
ties faced by the Commission. This has been one of the causes of the uncertainty 
in goals that has been observed. The Review Group did not make any in-depth study 
of this organization problem. However, various individual members found such crit- 
icism to conform to their own observations. It goes without saying that an ade- 
quate solution to this problem is vital to an adequate reactor safety program, both 


g 
j 


inside and outside the NRC. 

The planning and management of research have probably been diluted by the re- 
cent reorganization that combined the Office of Nuclear Regulatory Research and the 
Office of Standards, On the other hand, the Office of Nuclear Regulatory Research 


has never become well integrated with the licensing staff, and the new reorganiza- 


tion may ease this problem. 


The Commission should encourage and promote the visible integration 
of the results of safety research into the regulatory process. Regu- 
latory requirements should not rest on bad science when good science 
has become available. If retention of conservatism is desired be- 
cause of uncertainties or for other reasons, this should be done 
through the application of explicit safety factors to a calculation 
based on best available methods, in accordance with good engineering 
practice. 


The limitation of NRC's programs to “confirmatory research" should be 
removed, so that exploratory research and research to improve safety 
can be undertaken when this looks like the better course to follow. 


It is reasonable that the prevention of accidents should be the prin- 
cipal area for industrial safety research, and prevention or limita- 
tion of public consequences the principal area for NRC. This 
difference should be retained as a guideline but not as an absolute 
boundary between the programs. 


The flexibility of the NRC's research program should be improved. An 
easier way to transfer funds from one decision unit to another should 
be established. The methods of inter-office coordination and concur- 
rence on new programs should be simplified to prevent a single indi- 
vidual or Office from being able to block programs that have broad 
support. Subject only to Commission agreement, the Office of Re- 
search should be permitted to undertake research that is expected to 
be important in the long run, even if there is no immediate user 
need. Of course, this should not displace research for which a user 
need has been defined and agreed on. 


NRC's long-range research plan (NUREG-0740) should be restructured to 
follow lines of Agency objectives. This should infuse it with a more 
up-to-date logical structure and discourage the tendency to support 
doing more of what has already been done. Introduction and continua- 
tion of guidance at the Commission level will be of fundamental im- 
portance in confirming the objectives and restructuring the plan. 

The restructured long-range plan should be more specific in defining 
the deliverables in each program. 


B. The Role of DOE in Light Water Reactor Safety Research 

Public Law 96-567 (Nuclear Safety Research, Development, and Demonstration Act 
of 1980) states that: "a proper role of the Federal Government in assuring nuclear 
power plant safety, in addition to its regulatory function, is the conduct of a re- 
search, development, and demonstration program to provide important scientific and 
technical information which can contribute to sound design and safe operation of 
these plants." It is the intent of the law that this program be carried out by the 


Department of Energy. 

The DOE maintains a number of national laboratories which are a reservoir of 
talent and facilities for conducting reactor safety research and design studies. 
There is little doubt that a valuable program can be formulated to make effective 
use of these resources. PL 96-567 specifies a number of areas in which the DOE 
Should establish research programs. Although the Review Group does not believe 
that DOE is necessarily the best agency to conduct each of the types of research 
specified, there will probably be enough flexibility to permit DOE to formulate a 
sound program. However, DOE does not now have the staff structure necessary for 
planning and conducting this program. In response to the passage of PL 96-567, the 
Office of Nuclear Power Systems of DOE has conducted a study of the kind of program 
it would propose and has prepared a draft of the report to Congress. The Review 
Group found the first draft of this report to contain too many generalities to give 
much confidence that a well-focused research program will be formulated. 

One section of PL 96-567 calls for a study of the need for a “reactor engi- 
neering simulator facility." The DOE appears to be reaching a negative conclusion 
regarding such a need, a finding in which the Review Group concurs. The Review 
Group does believe, however, that there is need for more detailed and more physi- 
cally accurate mathematical models of nuclear power plants and rapid calculational 
methods that incorporate these models, a need discussed elsewhere in this report. 

One research project which should especially receive DOE support is the study 
of the damaged core in the Three Mile Island, Unit 2 plant. DOE has already initi- 
ated such a project. This core is a national resource in the sense that it con- 
tains more information about the progression of fuel damage during an accident and 
the characteristics of degraded cores than could be obtained practically in a cost- 
ly planned research program. The DOE program to study the TMI-2 core is supported 
in a recommendation elsewhere in this report. 


Other areas of safety research which the Review Group finds somewhat more ap- 
propriate to DOE than NRC include improved steam generator design, increased relia- 
bility of nuclear plant AC and DC electrical systems, and development of more reli- 
able valves. 


- DOE should form a strong staff of technical and managerial personnel 
knowledgeable and experienced in the subject of water reactor safety, 
to develop and implement programs of safety research in this field. 


- DOE should develop a program of generic research to improve water re- 
actor safety, and assume a substantial responsibility in the area of 
accident prevention to supplement other programs designed to reduce 
the likelihood of nuclear power plant accidents. 


C. Research in Other Countries 
Research on safety of nuclear power plants is extensive in some other coun- 


tries, especially in Japan and West Germany. These programs provide an effective 
supplement to American research. The participation of the NRC and industry in for- 
eign programs (e.g., Halden, Marviken, LOCA programs) has been beneficial, as has 
foreign participation in U.S. programs (e.g., LOFT, PBF). Interaction with re- 
search programs in other countries has been effective in preventing unnecessary 
duplication of work. DOE on its entry into water reactor safety research should 
also begin to take advantage of research done abroad. 


- DOE should assume a more active role in the international aspects of 
water reactor safety research. 


D. Freedom of Publication 
vublication and communication of results of water reactor safety research pro- 


grams by NRC, EPRI, and foreign countries have generally been good. A steady 
stream of reports is issued in this field, compared to a bare trickle about ten 
years ago. However, proprietary considerations severely limit the dissemination of 
results of research by reactor vendors and utility owners’ groups. 

In recent years, the publication and distribution of results of DOE's research 
on reactor-related subjects have been restricted. This policy, which was adopted 
in order that results of the research could be used to trade for results of related 
research by other countries, is mostly applied in the fast breeder field. Research 
on water reactor safety should be treated differently in this respect from develop- 
mental reactor research. Freedom of flow of information should be the rule, in 


recognition of the fact that reactor safety everywhere benefits all. 


‘3 


DOE's water reactor safety research program should follow a policy of 
free and open publication and distribution of reports. However, this 
policy should permit protection of proprietary information of indus- 
try participants. 


E. The Role of Risk Assessment 

Probabilistic risk assessment can in principle be used to rank programs on a 
cost-benefit basis. It is important that this practice be started. However, other 
factors must also be used in arriving at such a ranking. Among these are timing of 
the program compared with timing of research needs, the probability of success, the 
impact the research may have, and the extent of resources required. 


- A policy should be instituted whereby probabilistic risk assessment 
is used as one tool in establishing priorities of research programs. 


